Win32/Exploit.MS04-028

Discussion in 'NOD32 version 2 Forum' started by bornconfuzd, May 13, 2007.

Thread Status:
Not open for further replies.
  1. bornconfuzd

    bornconfuzd Registered Member

    Joined:
    Jan 27, 2007
    Posts:
    106
    Location:
    Houston, TX
    Hi all,

    Day before yesterday Nod32 popped up a warning about the above threat.

    Here are log entries from Nod32;

    Time Module Object Name Threat Action User Information
    5/12/2007 14:39:40 PM AMON file C:\Users\Larry\Pictures\Neal\2003\Helen Shaffer's 90th Birthday Party at Sprout's\~onica J. Baker, Cathe M. Baker, & Neal A. Baker.tmp Win32/Exploit.MS04-028 trojan quarantined - deleted Dell-E510\Larry Event occurred on a new file created by the application: C:\Program Files\Windows Media Player\wmplayer.exe. The file was moved to quarantine. You may close this window.
    5/12/2007 14:39:37 PM AMON file C:\Users\Larry\Pictures\Neal\2003\Helen Shaffer's 90th Birthday Party at Sprout's\~elen Shaffer, Ike Shaffer.tmp Win32/Exploit.MS04-028 trojan quarantined - deleted Dell-E510\Larry Event occurred on a new file created by the application: C:\Program Files\Windows Media Player\wmplayer.exe. The file was moved to quarantine. You may close this window.

    Yesterday, same threat warnings, same logs about the same two files, which are photos.

    I've run in-depth scan and normal scan with no results.

    Nod32 is reporting that the files are created by Windows Media player. I don't get that either, except that I guess WMP 11 now indexes photos and may interact with Photostory 3.1.

    I'm completely at a loss here as to what to do next. I have not deleted these two photos because Nod32 tells me that WMP has actually created the offending files as .tmp files and they are nowhere to be found.

    Any enlightement would be very much appreciated!!!

    Dell E510
    2GB DDR2 SDRAM
    250GB Seagate SATA HDD
    Windows Vista Ultimate
    Nod32 licensed
     
  2. 19monty64

    19monty64 Registered Member

    Joined:
    Apr 10, 2006
    Posts:
    1,302
    Location:
    Nunya, BZ
  3. bornconfuzd

    bornconfuzd Registered Member

    Joined:
    Jan 27, 2007
    Posts:
    106
    Location:
    Houston, TX
    Hi monty64,

    Thanks for the link. After reading the bulletin you linked, I'm even more confused. It references a couple dozen Microsoft programs with the vulnerability, none of which I have installed. I'm not sure I should install an update, for instance written for XP, on my Vista machine.

    Is it possible I'm getting a false positive from Nod32?

    Or perhaps there is a new vulnerability in the current batch of Microsoft products? Since Nod32 is reporting that the offending file is "created by Windows Media Player", maybe WMP 11 has a new vulnerability.

    The fun just never stops! :)
     
  4. ASpace

    ASpace Guest

    The fact that it is from 2004 means that it doesn't affect Vista . However these temp files are suspicious . Just wait for a security expert or ESET Moderator to explain better .

    In all cases you remained protected ;)
     
  5. bornconfuzd

    bornconfuzd Registered Member

    Joined:
    Jan 27, 2007
    Posts:
    106
    Location:
    Houston, TX
    Thanks for the reply HiTech boy.

    Yes, I agree about the temp files.

    So, as you suggest, I'll wait for advice from the experts.
     
Thread Status:
Not open for further replies.